aeris
/
cryptcheck
İzle 1
Yıldızla 0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
54 İşlemeler
3 Dallar
875KB
Ağaç: f1c14eef39
Dallar Biçim İmleri
${ item.name }
Branş ${ searchTerm } oluştur
'f1c14eef39'den
${ noResults }
cryptcheck/lib/cryptcheck/tls/server.rb

311 satır
8.6KB
Ham Suçlama Geçmiş 

  1. require 'socket'

  2. require 'openssl'

  3. require 'httparty'

  4. 

  5. module CryptCheck

  6. 	module Tls

  7. 		class Server

  8. 			TCP_TIMEOUT       = 10

  9. 			SSL_TIMEOUT       = 2*TCP_TIMEOUT

  10. 			EXISTING_METHODS  = %i(TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2)

  11. 			SUPPORTED_METHODS = ::OpenSSL::SSL::SSLContext::METHODS

  12. 			class TLSException < ::StandardError

  13. 			end

  14. 			class TLSNotAvailableException < TLSException

  15. 				def to_s

  16. 					'TLS seems not supported on this server'

  17. 				end

  18. 			end

  19. 			class MethodNotAvailable < TLSException

  20. 			end

  21. 			class CipherNotAvailable < TLSException

  22. 			end

  23. 			class Timeout < ::StandardError

  24. 			end

  25. 			class TLSTimeout < Timeout

  26. 			end

  27. 			class ConnectionError < ::StandardError

  28. 			end

  29. 

  30. 			attr_reader :family, :ip, :port, :hostname, :prefered_ciphers, :cert, :cert_valid, :cert_trusted, :dh

  31. 

  32. 			def initialize(hostname, family, ip, port)

  33. 				@hostname, @family, @ip, @port = hostname, family, ip, port

  34. 				@dh                            = []

  35. 				Logger.info { name.colorize :blue }

  36. 				extract_cert

  37. 				Logger.info { '' }

  38. 				Logger.info { "Key : #{Tls.key_to_s self.key}" }

  39. 				fetch_prefered_ciphers

  40. 				check_supported_cipher

  41. 				uniq_dh

  42. 			end

  43. 

  44. 			def key

  45. 				@cert.public_key

  46. 			end

  47. 

  48. 			def cipher_size

  49. 				supported_ciphers.collect { |c| c.size }.min

  50. 			end

  51. 

  52. 			def supported_protocols

  53. 				@supported_ciphers.keys

  54. 			end

  55. 

  56. 			def supported_ciphers

  57. 				@supported_ciphers.values.flatten 1

  58. 			end

  59. 

  60. 			def supported_ciphers_by_protocol(protocol)

  61. 				@supported_ciphers[protocol]

  62. 			end

  63. 

  64. 			EXISTING_METHODS.each do |method|

  65. 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1

  66. 					def #{method.to_s.downcase}?

  67. 						!prefered_ciphers[:#{method}].nil?

  68. 					end

  69. 				RUBY_EVAL

  70. 			end

  71. 

  72. 			{

  73. 					md2:  %w(md2WithRSAEncryption),

  74. 					md5:  %w(md5WithRSAEncryption md5WithRSA),

  75. 					sha1: %w(sha1WithRSAEncryption sha1WithRSA dsaWithSHA1 dsaWithSHA1_2 ecdsa_with_SHA1)

  76. 			}.each do |name, signature|

  77. 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1

  78. 					def #{name}_sig?

  79. 						#{signature}.include? @cert.signature_algorithm

  80. 					end

  81. 				RUBY_EVAL

  82. 			end

  83. 

  84. 			Cipher::TYPES.each do |type, _|

  85. 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1

  86. 					def #{type}?

  87. 						supported_ciphers.any? { |c| c.#{type}? }

  88. 					end

  89. 				RUBY_EVAL

  90. 			end

  91. 

  92. 			def key_size

  93. 				@cert.public_key.rsa_equivalent_size

  94. 			end

  95. 

  96. 			def ssl?

  97. 				sslv2? or sslv3?

  98. 			end

  99. 

  100. 			def tls?

  101. 				tlsv1? or tlsv1_1? or tlsv1_2?

  102. 			end

  103. 

  104. 			def tls_only?

  105. 				tls? and !ssl?

  106. 			end

  107. 

  108. 			def pfs?

  109. 				supported_ciphers.any? { |c| c.pfs? }

  110. 			end

  111. 

  112. 			def pfs_only?

  113. 				supported_ciphers.all? { |c| c.pfs? }

  114. 			end

  115. 

  116. 			private

  117. 			def name

  118. 				name = "#@ip:#@port"

  119. 				name += " [#@hostname]" if @hostname

  120. 				name

  121. 			end

  122. 

  123. 			def connect(&block)

  124. 				socket   = ::Socket.new @family, sock_type

  125. 				sockaddr = ::Socket.sockaddr_in @port, @ip

  126. 				Logger.trace { "Connecting to #{@ip}:#{@port}" }

  127. 				begin

  128. 					status = socket.connect_nonblock sockaddr

  129. 					Logger.trace { "Connecting to #{@ip}:#{@port} status : #{status}" }

  130. 					raise ConnectionError, status unless status == 0

  131. 					Logger.trace { "Connected to #{@ip}:#{@port}" }

  132. 					block_given? ? block.call(socket) : nil

  133. 				rescue ::IO::WaitReadable

  134. 					Logger.trace { "Waiting for read to #{@ip}:#{@port}" }

  135. 					raise Timeout, "Timeout when connect to #{@ip}:#{@port} (max #{TCP_TIMEOUT.humanize})" unless IO.select [socket], nil, nil, TCP_TIMEOUT

  136. 					retry

  137. 				rescue ::IO::WaitWritable

  138. 					Logger.trace { "Waiting for write to #{@ip}:#{@port}" }

  139. 					raise Timeout, "Timeout when connect to #{@ip}:#{@port} (max #{TCP_TIMEOUT.humanize})" unless IO.select nil, [socket], nil, TCP_TIMEOUT

  140. 					retry

  141. 				ensure

  142. 					socket.close

  143. 				end

  144. 			end

  145. 

  146. 			def ssl_connect(socket, context, method, &block)

  147. 				ssl_socket          = ::OpenSSL::SSL::SSLSocket.new socket, context

  148. 				ssl_socket.hostname = @hostname if @hostname and method != :SSLv2

  149. 				Logger.trace { "SSL connecting to #{name}" }

  150. 				begin

  151. 					ssl_socket.connect_nonblock

  152. 					Logger.trace { "SSL connected to #{name}" }

  153. 					return block_given? ? block.call(ssl_socket) : nil

  154. 				rescue ::IO::WaitReadable

  155. 					Logger.trace { "Waiting for SSL read to #{name}" }

  156. 					raise TLSTimeout, "Timeout when TLS connect to #{@ip}:#{@port} (max #{SSL_TIMEOUT.humanize})" unless IO.select [ssl_socket], nil, nil, SSL_TIMEOUT

  157. 					retry

  158. 				rescue ::IO::WaitWritable

  159. 					Logger.trace { "Waiting for SSL write to #{name}" }

  160. 					raise TLSTimeout, "Timeout when TLS connect to #{@ip}:#{@port} (max #{SSL_TIMEOUT.humanize})" unless IO.select nil, [ssl_socket], nil, SSL_TIMEOUT

  161. 					retry

  162. 				rescue ::OpenSSL::SSL::SSLError => e

  163. 					case e

  164. 						when /state=SSLv2 read server hello A$/,

  165. 								/state=SSLv3 read server hello A: wrong version number$/

  166. 							raise MethodNotAvailable, e

  167. 						when /state=error: no ciphers available$/,

  168. 								/state=SSLv3 read server hello A: sslv3 alert handshake failure$/

  169. 							raise CipherNotAvailable, e

  170. 					end

  171. 				rescue SystemCallError => e

  172. 					case e

  173. 						when /^Connection reset by peer$/

  174. 							raise MethodNotAvailable, e

  175. 					end

  176. 				ensure

  177. 					ssl_socket.close

  178. 				end

  179. 			end

  180. 

  181. 			def ssl_client(method, ciphers = nil, &block)

  182. 				ssl_context         = ::OpenSSL::SSL::SSLContext.new method

  183. 				ssl_context.ciphers = ciphers if ciphers

  184. 				Logger.trace { "Try #{method} connection with #{ciphers}" }

  185. 				connect do |socket|

  186. 					ssl_connect socket, ssl_context, method do |ssl_socket|

  187. 						return block_given? ? block.call(ssl_socket) : nil

  188. 					end

  189. 				end

  190. 

  191. 				Logger.debug { "No SSL available on #{name}" }

  192. 				raise CipherNotAvailable

  193. 			end

  194. 

  195. 			def extract_cert

  196. 				EXISTING_METHODS.each do |method|

  197. 					next unless SUPPORTED_METHODS.include? method

  198. 					begin

  199. 						@cert, @chain = ssl_client(method) { |s| [s.peer_cert, s.peer_cert_chain] }

  200. 						Logger.debug { "Certificate #{@cert.subject}" }

  201. 						break

  202. 					rescue TLSException

  203. 					end

  204. 				end

  205. 				raise TLSNotAvailableException unless @cert

  206. 				@cert_valid   = ::OpenSSL::SSL.verify_certificate_identity @cert, (@hostname || @ip)

  207. 				@cert_trusted = verify_trust @chain, @cert

  208. 			end

  209. 

  210. 			def prefered_cipher(method)

  211. 				cipher = ssl_client(method, 'ALL:COMPLEMENTOFALL') { |s| Cipher.new method, s.cipher, s.tmp_key }

  212. 				Logger.info { "Prefered cipher for #{Tls.colorize method} : #{cipher.colorize}" }

  213. 				cipher

  214. 			rescue TLSException => e

  215. 				Logger.debug { "Method #{Tls.colorize method} not supported : #{e}" }

  216. 				nil

  217. 			end

  218. 

  219. 			def fetch_prefered_ciphers

  220. 				@prefered_ciphers = {}

  221. 				EXISTING_METHODS.each do |method|

  222. 					next unless SUPPORTED_METHODS.include? method

  223. 					@prefered_ciphers[method] = prefered_cipher method

  224. 				end

  225. 				raise TLSNotAvailableException unless @prefered_ciphers.any? { |_, c| !c.nil? }

  226. 			end

  227. 

  228. 			def available_ciphers(method)

  229. 				context         = ::OpenSSL::SSL::SSLContext.new method

  230. 				context.ciphers = 'ALL:COMPLEMENTOFALL'

  231. 				context.ciphers

  232. 			end

  233. 

  234. 			def supported_cipher?(method, cipher)

  235. 				dh = ssl_client method, [cipher] { |s| s.tmp_key }

  236. 				@dh << dh if dh

  237. 				cipher = Cipher.new method, cipher, dh

  238. 				dh     = dh ? " (#{'DH'.colorize :green} : #{Tls.key_to_s dh})" : ''

  239. 				Logger.info { "#{Tls.colorize method} / #{cipher.colorize} : Supported#{dh}" }

  240. 				cipher

  241. 			rescue TLSException => e

  242. 				cipher = Cipher.new method, cipher

  243. 				Logger.debug { "#{Tls.colorize method} / #{cipher.colorize} : Not supported (#{e})" }

  244. 				nil

  245. 			end

  246. 

  247. 			def check_supported_cipher

  248. 				Logger.info { '' }

  249. 				@supported_ciphers = {}

  250. 				EXISTING_METHODS.each do |method|

  251. 					next unless SUPPORTED_METHODS.include? method and @prefered_ciphers[method]

  252. 					supported_ciphers = available_ciphers(method).collect { |c| supported_cipher? method, c }.reject { |c| c.nil? }

  253. 					Logger.info { '' } unless supported_ciphers.empty?

  254. 					@supported_ciphers[method] = supported_ciphers

  255. 				end

  256. 			end

  257. 

  258. 			def verify_trust(chain, cert)

  259. 				store         = ::OpenSSL::X509::Store.new

  260. 				store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT

  261. 				store.set_default_paths

  262. 

  263. 				%w(/etc/ssl/certs).each do |directory|

  264. 					::Dir.glob(::File.join directory, '*.pem').each do |file|

  265. 						cert = ::OpenSSL::X509::Certificate.new ::File.read file

  266. 						begin

  267. 							store.add_cert cert

  268. 						rescue ::OpenSSL::X509::StoreError

  269. 						end

  270. 					end

  271. 				end

  272. 				chain.each do |cert|

  273. 					begin

  274. 						store.add_cert cert

  275. 					rescue ::OpenSSL::X509::StoreError

  276. 					end

  277. 				end

  278. 				trusted = store.verify cert

  279. 				p store.error_string unless trusted

  280. 				trusted

  281. 			end

  282. 

  283. 			def uniq_dh

  284. 				dh, find = [], []

  285. 				@dh.each do |k|

  286. 					f = [k.type, k.size]

  287. 					unless find.include? f

  288. 						dh << k

  289. 						find << f

  290. 					end

  291. 				end

  292. 				@dh = dh

  293. 			end

  294. 		end

  295. 

  296. 		class TcpServer < Server

  297. 			private

  298. 			def sock_type

  299. 				::Socket::SOCK_STREAM

  300. 			end

  301. 		end

  302. 

  303. 		class UdpServer < Server

  304. 			private

  305. 			def sock_type

  306. 				::Socket::SOCK_DGRAM

  307. 			end

  308. 		end

  309. 	end

  310. end